1 |
On Mon, Dec 31, 2012 at 9:42 AM, Tobias Klausmann <klausman@g.o> wrote: |
2 |
> Now before you reply, RTFA. Also note that while my own opinion |
3 |
> on the matter is irrelevant, I _do_ think that his concerns need |
4 |
> to be addressed, particularly the second half of his statement. |
5 |
|
6 |
SSL Certificate Authorities are a mess. Grab your favorite |
7 |
browser/phone/etc and take a look at the list of trusted authorities |
8 |
and tell me if you have even heard of half of them. If you look at |
9 |
the list on a mobile device that is more than a year old or so most |
10 |
likely it still has the compromised Diginotar certificates still on |
11 |
it, since nobody bothers to update most of these devices after they |
12 |
are sold (one or two brands notwithstanding). |
13 |
|
14 |
Mozilla of course happily packaged the Diginotar certificates because |
15 |
they paid the substantial fee and had the stack of paper that |
16 |
demonstrated that at one point in time they at least had something |
17 |
that resembled secure operations during a cursory audit. They have |
18 |
been steadily blocking providers like CACert for just as long as they |
19 |
had not demonstrated proper security theater. As far as I'm aware, |
20 |
the latter hasn't been handing out certificates for everything from |
21 |
GMail to Hotmail to random hackers. |
22 |
|
23 |
The certificates that Gentoo distributes have at least been vouched |
24 |
for by somebody who is a part of our community, which is more than can |
25 |
be said for most of the upstream certificates. |
26 |
|
27 |
The bottom line is that if you care about security that much, you will |
28 |
de-list all the CAs on your system and do your own audits (routinely), |
29 |
or white-list individual website certificates (again after whatever |
30 |
level of due diligence you feel is appropriate). Perhaps you might |
31 |
even hire somebody to do this work for you, but it will be somebody |
32 |
you actually pay, and who will therefore treat you as a customer. |
33 |
Make no mistake, you are NOT the customer of the CAs in your browser - |
34 |
you are their product, sold to various companies for $200/yr or |
35 |
whatever the going rate is. It really isn't that much different from |
36 |
advertising, if you want to get your message out, then you pay the |
37 |
gatekeepers for the privilege. |
38 |
|
39 |
My suggestion is to leave things alone, and by all means have a |
40 |
disclaimer on the ca-certificates package as Debian does. I'd rather |
41 |
not bundle any certificates than be a party to the |
42 |
hand-over-$10k-for-the-right-to-MITM-random-websites game. |
43 |
|
44 |
Rich |